Social engineering tales
•Télécharger en tant que PPTX, PDF•
4 j'aime•1,849 vues
An introductory session about Social Engineering presented at ICT Nuggets Forum - Khartoum, organized by Duko team. We talked about what is social engineering? terms related to it? and how attacks can bee carried. We also told a lot of stories about successful social engineering attacks and how much damage they did. Finally we talked about how to protect yourself and your company social engineering attacks.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (20)
Similaire à Social engineering tales
Similaire à Social engineering tales (20)
Dernier
Dernier (20)
Social engineering tales
- 1. Social Engineering Tales Ahmed Abbas Mohammed MCP, E|CHFI, E|CEH, MCSA Azure, MCSA Office365
- 3. Disclaimer
- 4. Introduction about Myself • Ahmed Abbas Mohammed. • Graduated from SUST-CSIT, Networks department. • Currently working as an Information Security Administrator. • Organizer and speaker at OWASP Khartoum. • Member at Sudan-T00r and Hex Hex security teams. • Interested in physical security, security awareness and psychology.
- 6. Some Statistics [Microsoft Survey]
- 7. Some Statistics [Microsoft Survey]
- 8. Some Statistics [Microsoft Survey]
- 9. Some Statistics [Microsoft Survey]
- 10. Some Statistics [Microsoft Survey]
- 11. Who Are You ?
- 12. Basics of Social Engineering Social Engineering Tales - 2015
- 13. What is social engineering? • the art of manipulating, influencing, or deceiving you in order to gain control over your computer system. The hacker might use the phone, email, snail mail or direct contact to gain illegal access. • Why spend thousands of dollars on sophisticated hacking software when you could just trick someone into telling you the password?
- 14. Terms • Confidence trick • Amygdala hijacking • Elicitation • Influencing • Manipulation • Pretexting Social Engineering Tales - 2015 • Phishing • Spear-phishing • Harvesting • Dumpster diving • Shoulder surfing • Tailgating
- 15. Attack Methods – Baiting
- 16. Attack Methods – Phishing
- 17. Attack Methods – Pretexting
- 18. Attack Methods – Quid Pro Quo
- 19. Attack Methods – Tailgating
- 20. Humans Weak Points • Diffusion of Responsibility • Chance for Ingratiation • Trust Relationship • Guilt • Desire to help.
- 21. Why is Social Engineering Effective? • Manipulates legitimate users into undermining their own security system • Abuses trusted relationships between employees • Very cheap for the attacker • Attacker does not need specialized equipment or skills
- 22. Hackers Movie, Social Engineering
- 23. The Tales
- 24. “Save power is save money!
- 26. NSA, and Snowden
- 28. Wells Fargo, You are doing it wrong
- 29. My $50,000 Twitter Username Was Stolen
- 31. KDMS team
- 32. NATO
- 33. Wal-Mart
- 34. ICANN
- 35. Social Engineering Tales - 2015 35 Recorded Demo
- 36. How To Protect Yourself
- 41. Defense for Companies Social Engineering Tales - 2015 41
- 49. Thank you Social Engineering Tales Ahmed Abbas Mohammed MCP, E|CHFI, E|CEH, MCSA Azure, MCSA Office365
Notes de l'éditeur
- Who visited your facebook account .. Who blocked you ? Who is your best firend .. Win free stuff
- Phishing involves false emails, chats, or websites designed to impersonate real systems with the goal of capturing sensitive data. A message might come from a bank or other well known institution with the need to “verify” your login information. It will usually be a mocked-up login page with all the right logos to look legitimate. It could also be a message claiming you are the “winner” of some prize or lottery coupled with a request to hand over your bank information, or even a charity plea after a big natural disaster with instructions to wire information to the “charity/criminal”.
- Pretexting is the human equivalent of phishing, where someone impersonates an authority figure or someone your trust to gain access to your login information. It can take form as fake IT support needing to do maintenance, or a false investigator performing a company audit. Someone might impersonate co-workers, the police, tax authorities or other seemingly legitimate people in order to gain access to your computer and information.
- Quid Pro Quo is a request for your information in exchange for some compensation. It could be a free T-shirt or access to an online game or service in exchange for your login credentials, or a researcher asking for your password as part of an experiment in exchange for $100. If it sounds too good to be true, it probably is quid pro quo
- In 2009 Coca Cola was deeply hacked. It all started with an email that has this subject line: “Save power is save money! (from CEO)” Executive Paul Etchells was the first victim. major upcoming acquisition of a Chinese firm, a deal that later fell apart because of hackers
- The attacker in this case sent two different phishing emails over a two-day period. The two emails were sent to two small groups of employees; you wouldn’t consider these users particularly high profile or high value targets. The email subject line read “2011 Recruitment Plan.” The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file. It was a spreadsheet titled “2011 Recruitment plan.xls. The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609). As a side note, by now Adobe has released a patch for the zero-day, so it can no longer be used to inject malware onto patched machine
- Edward Snowden used login credentials and passwords provided unwittingly by colleagues ... to access some of the classified material he leaked. ... A handful of agency employees who gave their login details to Snowden were identified, questioned and removed from their assignments. ... Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator. ... People familiar with efforts to assess the damage to U.S. intelligence caused by Snowden's leaks have said assessments are proceeding slowly because Snowden succeeded in obscuring some electronic traces of how he accessed NSA records. ... The revelation that Snowden got access to some of the material he leaked by using colleagues' passwords surfaced as the U.S. Senate Intelligence Committee approved a bill intended in part to tighten security over U.S. intelligence data. One provision of the bill would earmark a classified sum of money ... to help fund efforts by intelligence agencies to install new software designed to spot and track attempts to access or download secret materials without proper authorization.'"
- Paul Allen, a co-founder of Microsoft, recently became a victim of a social engineering scheme. Brandon Price, an army deserter from Pittsburg PA, was able to obtain Allen’s debit card through Citibank’s call center. Price impersonated Allen on the phone call and changed the account’s address to his own; He then ordered a new debit card which was subsequently sent out. Price used this card to make a payment on a loan and then attempted a failed wire transfer and in-store purchase.
- To understand what happened, you must know that Catholic Healthcare West, the hospital chain in question, signed a contract with Merced County, California, to operate a medical center in the San Joaquin Valley. In order to be able to do that, the chain had to maintain an escrow account with $7.5 millions in it. At the same time, it decided to change banks, but needed the approval of the county's Board of Supervisors to do that. They did approve but, unfortunately, the county put a partial copy of this agreement on its official website, complete with the signatures of the chain's CFO Michael Blaszyk and the Merced County Director of Public Health Tammy Chandler. Armed with the name of the bank where Catholic Healthcare West had the account and the name and signature of the chain's CFO, the fraudster put the plan in motion in December 2011, Forbes reports. First he faxed a request for Wells Fargo to wire $445,000 from the chain's escrow account to one in the HSBC bank in New York. Although "signed" by Blaszyk and Chandler, the transfer was denied because the account at HSBC was nonexistent. The escrow agent moved to check with HSBC why the request was rejected - or so he thought. Unfortunately, he called the bank's number he got off the fax, and got an answering machine. The number actually belonged to the fraudster, who called back after a short period of time, posed as Blaszyk, and told the escrow agent to ignore the wire transfer request. A week later, the fraudster tried again. This time, a request was made for the same amount to be transferred to an account under the same name in bank in Hong Kong. Again, the request was rejected on same grounds. Almost a week later, the escrow agent received a third wire transfer request: to send $989,000 to an account in the name of Textil Trading UK Limited at another bank at the Standard Chartered Bank in Hong Kong. And this time, the account existed, the request was approved and the money was transferred. Seeing that the scheme was finally successful, the fraudster tried again three times. The first request was denied because the transfer of the amount requested would require the bank to sell securities, and the fraudster didn't indicate which ones. The second one hit another jackpot, and $1.1 million were wired to the Hong Kong account. And the third one - a request for a transfer of $2.2 million - was when the escrow agent began to suspect something was wrong. He finally called Catholic Healthcare West and found out that all the earlier requests were not sent by them. Wells Fargo has since reimbursed Catholic Healthcare West for the stolen money, and has engaged a legal team to try to get the stolen money - or what is left of it - back from the hong Kong account. They are also working with law enforcement on finding the individual(s) behind the fraudulent scheme. http://www.net-security.org/secworld.php?id=12516
- https://medium.com/@N/how-i-lost-my-50-000-twitter-username-24eb09e026dd
- 2005 Tmobile sidekick http://mathcs.slu.edu/~chambers/spring11/security/schedule/SecuritySlides.pdf
- Social engineering an employee to give the creds Initial reports from Rapid7 revealed that a spoofed DNS change request sent by fax to Register.com led to the domains being hijacked. However, after further investigations, Register.com determined that the hackers social engineered an employee into handing over legitimate credentials.
- The top military commander in NATO has been targeted by attackers wielding fake Facebook pages.Attackers have been creating Facebook pages under the name of Admiral James Stavridis, NATO's Supreme Allied Commander Europe (SACEUR), in an attempt to lure his colleagues, friends, and family into connecting with the account and divulging private information, reported The Observernewspaper in Britain on Sunday. "There have been several fake SACEUR pages. Facebook has cooperated in taking them down… the most important thing is for Facebook to get rid of them," a NATO official told the Observer, noting that similar attacks first began about two years ago. The fake pages are cause for concern for NATO officials, who have been turning to social media to disseminate more news relating to the alliance. In October, Stavridis used his Facebook page to announce the end of military operations in Libya. "First and foremost, we want to make sure that the public is not being misinformed. SACEUR and NATO have made significant policy announcements on either the Twitter or Facebook feed, which reflects NATO keeping pace with social media. It is important the public has trust in our social media," said the NATO official. http://www.darkreading.com/risk-management/facebook-social-engineering-attack-strikes-nato-/d/d-id/1103308?
- http://money.cnn.com/2012/08/07/technology/walmart-hack-defcon/
- http://www.csoonline.com/article/2860737/social-engineering/icann-targeted-by-spear-phishing-attack-several-systems-impacted.html